// the find
kumahq/kuma
🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.
Kuma is an Envoy-based service mesh control plane that runs on Kubernetes, VMs, and bare metal, with native multi-zone and multi-mesh support built into the architecture from day one. It was created by Kong and donated to CNCF (currently Sandbox status). The target is teams running services across heterogeneous infrastructure — containers plus legacy VMs — who need a single mesh spanning all of it.
Multi-zone support is a first-class design, not a retrofit: the Global CP + Zone CP model means cross-cluster policy propagation is built into the sync protocol rather than bolted on with federation hacks. Universal mode for VMs is genuine — you can attach bare-metal services to the same mesh as your Kubernetes pods without a separate control plane. The policy model (MeshHTTPRoute, MeshFaultInjection, MeshRetry, etc.) abstracts Envoy xDS into something a normal team can operate without reading Envoy's config documentation. The CI pipeline is serious: CodeQL scanning, OpenSSF Scorecard, linter enforcement, and an extensive e2e test matrix suggest the codebase is maintained with real discipline.
CNCF Sandbox is a warning sign at this stage — Istio and Linkerd are both Graduated, meaning the ecosystem has largely picked sides, and Kuma's 3,973 stars versus Istio's ~35k reflects real adoption gap. Kong remains the dominant contributor, so 'CNCF neutral' is somewhat aspirational; if Kong's strategic priorities shift, the project feels the effect immediately. The multi-zone Global CP architecture that's a strength in production is a liability in operations: you're now running and troubleshooting a distributed control plane tier with its own failure modes on top of your application infrastructure. And Envoy abstraction only gets you so far — when something breaks in traffic routing, you're eventually staring at Envoy's internal state with `envoy/config_dump`, and the abstraction doesn't help you there.